WordPress and its many plugins are constantly updated, but there are always ways to tighten up security. After all , there is no such thing as too much security.
1. No defaults
The first step you can take is at the install screen. When prompted, don’t opt for the default ‘wp_’ prefix on database tables add a custom prefix instead. In addition, use something other than ‘admin’ as your default admin username as this is too easy to guess at.
2. Remove unnecessary files
Once you have successfully installed WordPress, remove the installation file (wp-admin/install.php) and the readme.html file.
3. .htaccess security
In addition, you may want to create a .htaccess file with the following, and upload it to the root of the site:
<files wp-config.php>
order allow,deny
deny from all
</files>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Options -Indexes
This prevents access to your wp-config file, prevents script injection, and prevents directory listing
4. Security Plugins
Now your basic installation is locked down (or at least more secure than it would be by default), login to your new WordPress installation and add the following plugins:
Exploit Scanner
Secure WordPress
Ultimate Security Check
WP Security Scan
WP File Monitor
There is no “right” order in which to activate and run the plugins listed, but the order we did it in was:
5. Activate Secure WordPress and amend any settings as required.
Settings are as follows:
Error-Messages – Deactivates tooltip and error message at login of WordPress
Usual behaviour is to return error messages such as ‘Username John doesn’t exist’, or ‘Incorrect Password for User John’. This makes brute forcing a little bit harder.
WordPress Version – Removes version of WordPress in all areas, including feed, not in admin
This is not an excuse to never update WordPress again, but should you be a bit slow on updating, there’s no reason for the world to know and possible exploit.
WordPress Version in Backend / Core Update / Plugin Update / Theme Update
This is only relevant if you have non-trusted users accessing the backend.
index.php creates an index.php file in /plugins/ and /themes/ to keep it from showing your directory listing
The ‘Options -Indexes’ line in the .htaccess file referenced above will take care of this, but no harm in enabling it anyway.
Really Simple Discovery – Remove Really Simple Discovery link in wp_head of the frontend
Windows Live Writer – Remove Windows Live Writer link in wp_head of the frontend
WP Scanner - free tool provided by the Plugin creators that you can make use of for further testing if required.
Block bad queries – Protect WordPress against malicious URL requests, read more information at the post from Jeff Starr
6. Activate Ultimate Security Check
Once this is activated, go to Tools > Ultimate Security Check to get your security grade. Take note of any suggestions and take action on them. (Note: if you can’t gain access to one level above the root of your installation, you won’t be able to get full marks for ‘Check configuration file’, but not to worry).
7. Activate WP Security Scan
Go to Security > Security and take note of any messages there.
Note: unless you want to password protect your wp-admin directory, then you can ignore the message regarding the lack of a .htaccess file. If you do want to do this, please be aware that it can cause problems with your WordPress installation.
Go to Security > Scanner and take note of any advice regarding file permissions and make changes accordingly
8. Activate and run ‘Exploit Scanner’
This plugin can be run at any point, and it is advisable to run it every time you add new plugins or make changes to your site.
You may wish to uncheck the ‘Search for suspicious styles’ checkbox as it returns a lot of false positives (as stated on the dialog screen).
Set the file size limit and the batch and run the scan.
Take note of any of the results.
Also take note of the text at the bottom of the settings screen:
“Unfortunately it’s impossible to catch every hack and it’s all too easy to catch false positives (show a file as suspicious when in reality it is clean). If you have been hacked, this script may help you track down what files, comments or posts have been modified. On the other hand, if this script indicates your blog is clean, don’t believe it. This is far from foolproof.”
At this point you may wish to install the rest of your site plugins, theme etc, as the final plugin will email you every time changes are made to your site.
9. Activate and configure WP File Monitor
This is a great plugin that tells you whenever any of your files are altered. You are notified by email automatically, and also on the dashbaord if you opt for this. The settings are pretty self-explanatory. If you have any files that are repeatedly changed for some reason, you may wish to exclude them. To this add them to the ‘Exclude Paths’ textarea ensuring the path is relative to the WordPress root.
10. Conclusion
Once you have completed all these steps, your installation will be more secure than it might have been, but it is still in no way completely secure, nothing ever is. You can further improve security by changing your passwords regularly (WordPress backend passwords and database passwords) and deleting unused plugins. It goes without saying that keeping your WordPress installation and plugins up-to-date is a must. You may also wish to install one of the many database backup tools and take regular back-ups of your database. If your data becomes compromised you can then rollback.